#!/bin/bash

# * input file
# user_list.txt
# <ignored id>;<user name>;<group>[;override password][;override hostname]
# lines with # are skipped
# already created users are skipped
# * output file
# <date>;<target connect host name>;<hostname>;<username>;<password>
# If already existing PEM key is used then <password> is [ALREADY SET]
#
# * PEM KEY
# <hostname>%<group>%<user>%<ssh key type>.pem
# * PUBLIC KEY
# <hostname>%<group>%<user>%<ssh key type>.pem.pub
# stored as zip in
# zip/
#
# If a previously exsting PEM key should be used, put the public pem file
# into the ssh-keygen/ folder
# They pem pub key must follow the set rules above

# SET TO 1 to TEST [will no create user/group/folder]
TEST=0;
while getopts ":t" opt; do
	case "${opt}" in
		t|test)
			TEST=1;
			;;
	esac;
done;
# hostname for output file only
host=$(hostname);
timesamp=$(date +%Y%m%d-%H%M%S)
# character to set getween info blocks
separator="#";
# base folder for all data
root_folder=$(pwd)'/';
input_file='user_list.txt';
output_file="user_password.${timesamp}.txt";
output_zip_folder='zip/';
output_zip="users.${timesamp}.zip"
ssh_keygen_folder='ssh-keygen/';
ssh_keygen_folder_created_pub='ssh-keygen-created-pub/';
ssh_keytype='ed25519';
# check if ssh key folder exists
if [ ! -d "${root_folder}${ssh_keygen_folder}" ]; then
	mkdir "${root_folder}${ssh_keygen_folder}";
fi;
# check if zip folder is missing
if [ ! -d "${root_folder}${output_zip_folder}" ]; then
	mkdir "${root_folder}${output_zip_folder}";
fi;
# check if password generate software is installed
if [ ! command -v pwgen &> /dev/null ]; then
	echo "Missing pwgen application, aborting";
	exit;
fi;
# check for zip
if [ ! command -v zip &> /dev/null ]; then
	echo "Missing zip application, aborting";
	exit;
fi;
# check if user list file exists
if [ ! -f "${root_folder}${input_file}" ]; then
	echo "Missing ${root_folder}${input_file}";
	exit;
fi;
# make sure my own folder is owned by root and 600 (except for testing)
if [ $(stat -c %a .) != "600" ]; then
	echo "!!!! RECOMMENDED TO HAVE BASE FOLDER SET TO '600' AND USER 'root' !!!!"
fi;
if [ $(whoami) != "root" ]; then
	if [ ${TEST} -eq 0 ]; then
		echo "Script must be run as root user";
		exit;
	else
		echo "!!!! Script must be run as root user !!!!";
	fi;
fi;
# create users
cat "${root_folder}${input_file}" |
while read i; do
	# skip rows start with # (comment)
	if [[ "${i}" =~ ^\# ]]; then
		echo -e "";
	else
		# make lower case, remove spaces
		user=$(echo "${i}" | cut -d ";" -f 2 | tr A-Z a-z | tr -d ' ');
		_group=$(echo "${i}" | cut -d ";" -f 3 | tr A-Z a-z | tr -d ' ');
		group=$(echo "${_group}" | cut -d "," -f 1);
		sub_group="";
		sub_group_opt="";
		# check if "," inside and extract sub groups
		if [ -z "${_group##*,*}" ]; then
			sub_group=$(echo "${_group}" | cut -d "," -f 2-);
			sub_group_opt=" -G ${sub_group}";
		fi;
		# override host name, lowercase and spaces removed
		_hostname=$(echo "${i}" | cut -d ";" -f 5 | tr A-Z a-z | tr -d ' ');
		if [ -z "${_hostname}" ]; then
			hostname=${host};
		else
			hostname=${_hostname};
		fi;
				# do we have a password preset
		_password=$(echo "${i}" | cut -d ";" -f 4);
		# user & group not set
		if [ -z "${user}" ] || [ -z "${_group}" ]; then
			echo "[!!!!!] Missing user or group entry for ${user}/${_group}";
			echo "[ABORT RUN]"
			break;
		fi;
		# add group for each entry in _group
		for create_group in ${_group//,/ }; do
			if [ ${TEST} -eq 0 ]; then
				groupadd -f ${create_group};
			else
				echo "$> groupadd -f ${create_group}";
			fi;
		done;
		# SSH file name part without folder
		ssh_keygen_id="${hostname}${separator}${group}${separator}${user}${separator}${ssh_keytype}.pem";
		# the full file including folder name
		ssh_keyfile="${root_folder}${ssh_keygen_folder}${ssh_keygen_id}";
		# publ file if new
		ssh_keyfile_pub="${ssh_keyfile}.pub";
		# check existing pub file
		ssh_keyfile_check_pub="${root_folder}${ssh_keygen_folder_created_pub}${ssh_keygen_id}.pub";
		# check if user is not already created
		if getent passwd ${user} > /dev/null 2>&1; then
			echo "-- Skip '${user}:${group}(${sub_group})'";
		else
			echo "++ Create '${user}:${group}(${sub_group})'";
			if [ ${TEST} -eq 0 ]; then
				useradd -s /bin/bash -g ${group}${sub_group_opt} -m ${user};
			else
				echo "$> useradd -s /bin/bash -g ${group}${sub_group_opt} -m ${user}";
			fi;
		fi;
		skip_ssh=0;
		# if public pem already exists skip creation
		if [ ! -f "${ssh_keyfile_check_pub}" ]; then
			# Note we only create a password if we need it
			# password + store pwgen 10 1 -1
			if [ -z "${_password}" ]; then
				password=$(printf "%s" $(pwgen 10 1));
			else
				echo "! Override password set";
				password=${_password};
			fi;
			# create SSH key
			echo " > Create ssh key-pair '${ssh_keyfile}'";
			ssh-keygen \
				-t ${ssh_keytype} \
				-f "${ssh_keyfile}" \
				-C "${hostname}: ${user}@${group}" \
				-a 100 -N "${password}"
		else
			found=$(grep "$(cat ${ssh_keyfile_check_pub})" /home/${user}/.ssh/authorized_keys);
			if [ ! -z "${found}" ]; then
				skip_ssh=1;
				# override previously set with stored one
				ssh_keyfile_pub=${ssh_keyfile_check_pub};
				echo "-- Skip SSH Key creation: ${ssh_keygen_id}.pub";
			else
				echo " < Use existing public ssh key '${ssh_keygen_id}.pub'";
				# Password already set notification
			fi;
			password="[ALREADY SET]";
		fi;
		if [ ${skip_ssh} -eq 0 ]; then
			# write login info to output file
			echo $(date +"%F %T")";"${host}";"${_hostname}";"${user}";"${password} >> ${root_folder}${output_file};
			# create the SSH foler and authorized access file with correct permissions
			echo " > Create .ssh folder";
			if [ ${TEST} -eq 0 ]; then
				mkdir /home/${user}/.ssh/;
			else
				echo "$> mkdir /home/${user}/.ssh/";
			fi;
			echo " > Add public into authorized_keys";
			if [ ${TEST} -eq 0 ]; then
				cat "${ssh_keyfile_pub}" > /home/${user}/.ssh/authorized_keys;
			else
				echo "$> cat ${ssh_keyfile_pub} > /home/${user}/.ssh/authorized_keys";
			fi;
			echo " > Secure folder .ssh and authorized_keys file";
			if [ ${TEST} -eq 0 ]; then
				chown -R ${user}:${group} /home/${user}/.ssh/;
				chmod 700 /home/${user}/.ssh/;
				chmod 600 /home/${user}/.ssh/authorized_keys;
			else
				echo "$> chown -R ${user}:${group} /home/${user}/.ssh/";
				echo "$> chmod 700 /home/${user}/.ssh/";
				echo "$> chmod 600 /home/${user}/.ssh/authorized_keys";
			fi;
		fi;
	fi;
done;

# zip everything and remove data in ssh key folder, delete output file with passwords
zip -r \
	"${root_folder}${output_zip_folder}${output_zip}" \
	"${input_file}" \
	"${output_file}" \
	"${ssh_keygen_folder}" \
	-x\*.gitignore;
echo "Download: ${root_folder}${output_zip_folder}${output_zip}";
# cleam up user log file and ssh keys
if [ ${TEST} -eq 0 ]; then
	# move pub to created folders
	mv "${root_folder}${ssh_keygen_folder}"*.pub "${root_folder}${ssh_keygen_folder_created_pub}";
	# delete the rest
	rm "${root_folder}${output_file}";
	rm "${root_folder}${ssh_keygen_folder}"*;
else
	echo "$> mv ${root_folder}${ssh_keygen_folder}*.pub ${root_folder}${ssh_keygen_folder_created_pub};";
	echo "$> rm ${root_folder}${output_file}";
	echo "$> rm ${root_folder}${ssh_keygen_folder}*";
fi;